PLEASE NOTE: I HAVE PERMANENTLY MOVED MY BLOG TO http://www.rationalsurvivability.com/blog

June 25, 2007

An entire day and forum dedicated to NAC in the NYC? Huh. I thought we did that at InterOp and RSA already!? I suppose it's necessary to wade through all the, uh, information surrounding the second coming of network security.

If someone builds one for UTM, I will kill myself.

Oh NAC...I wish I knew how to quit you!

(I was going to photoshop the poster to the left including Alan Shimel and changing the title to BrokeNAC Mountain, but I can't find my Photoshop CD and I've got a plane to catch to Milan...)

I've made it clear that I think NAC (Network Admission Control and Network Access Control) is valuable and worth investing in as part of a layered defense. It ain't the silver bullet of security, however. Maybe Stiennon can come up with a new name for it and it will be?

I've also made it clear that despite the biggest amount of hype since the Furby, NAC will become a feature as part of a conglomeration of solutions in the short term (24 months); it already is a replacement blanket marketing term for companies that used to be SSL VPN's that then became IPS's that are now NAC. Look at the companies that now claim they're NAC-focused. That's usually because the "market" they were in previously collapsed -- just like NAC will.

It seems that NAC's relationship with the world plays out just like a scene from Brokeback Mountain where the two main characters discuss whether the public sees through the thin facade of the uneasy relationship they project to the world -- just like the front NAC puts on:

Ennis Del Mar:
You ever get the feelin'... I don't know, er... when you're in town and
someone looks at you all suspicious, like he knows? And then you go out
on the pavement and everyone looks like they know too? Jack Twist:
[Casually] Well... maybe you oughta get out of there, you know? Find yourself someplace different. Maybe Texas.
Ennis Del Mar:
[Sarcastically]
Texas? Sure, maybe you can convince Alma to let you and Lureen to adopt
the girls. And we can just live together herding sheep. And it'll rain
money from LD Newsome and whiskey'll flow in the streams - Jack, that's
real smart. Jack Twist:
Go to hell, Ennis. If you wanna live your miserable fuckin' life, then go right ahead.
Ennis Del Mar:
Fine.
Jack Twist:
I was just thinkin' out loud.
Ennis Del Mar:
Yep, you're a real thinker there. Goddamn. Jack fuckin' Twist; got it all figured out, ain't ya?

If the next NAC Forum is held in Texas, you'll know the end of the world is near...'course there ain't nuthin' wrong with the heavens rainin' money and streams full-a whiskey...

At any rate, I was catching up on my back-dated blog entries and just read Dom Wilde's (Nevis Networks Illuminiations Blog) summary of the Network Computing NAC 2007 Forum and couldn't help but chuckle. Shimel's review seemed a little more upbeat compared to Dom's, but since Alan got stalked by a blogger paparazzi in a three-wheeled, pedal-powered rickshaw, I can see why.

Snippet Summary from Dom's Post:

It's little wonder that people are confused about NAC. Too many times
during the day I found myself with a furrowed brow trying delineate
between reality and fiction...Disappointing moment of the day - 7 panelists on the OOB panel frying
the audience's collective brain, by taking 10 minutes each to say "me
too". Result: half the audience didn't return after lunch for more
lively and concise discussions on in-line and framework based
solutions, and more critically, to hear narratives and lessons learned
from people who have deployed NAC.

Snippet Summary from Alan's Post:

Anyway, it was a great way for people looking at deploying NAC to come
up and touch and feed a real live NAC vendor. Ultimately, you still
have to install the product and play with it yourself to see if it
works. There were lots of claims and NAC crap flying today. I also
would like to see more of a panel of answering questions then just
giving our elevator pitch powerpoints to the crowd. Still a worthwhile
day and a good job by Network Computing. I think all of the elevator
pitches will be posted on NC site soon.

Sounds great.

Both Dom and Alan's companies provide NAC solutions. Both were at the show. Both seem to convey the sense that this was more circus than it was scholarly. I'm not sure that's because it was focused on NAC or because in general most conferences/forums are completely useless, but I'm interested in anyone else's opinion from those what where there.

June 16, 2007

Dr. Joseph Tardo over at the Nevis Networks Illuminations blog composed a reasonably well-balanced commentary regarding one or more of my posts in which I was waxing on philosophically about about my beliefs regarding keeping the network plumbing dumb and overlaying security as a flexible, agile, open and extensible services layer.

It's clear he doesn't think this way, but I welcome the discourse. So let me make something clear:

Realistically, and especially in non-segmented flat networks, I think there are certain low-level security functions that will do well by being served up by switching infrastructure as security functionality commoditizes, but I'm not quite sure for the most part how or where yet I draw the line between utility and intelligence. I do, however, think that NAC is one of those utility services.

I'm also unconvinced that access-grade, wiring closet switches are architected to scale in either functionality, efficacy or performance to provide any more value or differentiation other than port density than the normal bolt-on appliances which continue to cause massive operational and capital expenditure due to continued forklifts over time. Companies like Nevis and Consentry quietly admit this too, which is why they have both "secure switches" AND appliances that sit on top of the network...

Joseph suggested he was entering into a religious battle in which he summarized many of the approaches to security that I have blogged about previously and I pointed out to him on his blog that this is exactly why I practice polytheism ;) :

In case you aren’t following the
religious wars going on in the security blogs and elsewhere, let me bring you
up to date.

It goes like this. If you are in
the client software
business, then security has to be done in the endpoints and the network is just
dumb “plumbing,” or rather, it might as well be because you can’t assume
anything about it. If you sell appliances
that sit here and there in the network, the network sprouts two layers, with
the “plumbing” part separated from the “intelligence.” Makes sense, I guess. But
if you sell switches and routers then the intelligence must be integrated in with
the infrastructure. Now I get it. Or maybe I’m missing the point, what if you
sell both appliances
and infrastructure?

I believe that we're currently forced to deploy in defense in depth due to the shortcomings of solutions today. I believe the "network" will not and cannot deliver all the security required. I believe we're going to have to invest more in secure operating systems and protocols. I further believe that we need to be data-centric in our application of security. I do not believe in single-point product "appliances" that are fundamentally functionally handicapped. As a delivery mechanism to deliver security that matters across network I believe in this.

Again, the most important difference between what I believe and what Joseph points out above is that the normal class of "appliances" he's trying to suggest I advocate simply aren't what I advocate at all. In fact, one might surprisingly confuse the solutions I do support as "infrastructure" -- they look like high-powered switches with a virtualized blade architecture integrated into the solution.

It's not an access switch, it's not a single function appliance and it's not a blade server and it doesn't suffer from the closed proprietary single vendor's version of the truth. To answer the question, if you sell and expect to produce both secure appliances and infrastructure, one of them will come up short. There are alternatives, however.

So why leave your endpoints,
the ones that have all those vulnerabilities that created the security industry
in the first place, to be hit on by bots, “guests,” and anyone else that wants
to? I don’t know about you, but I would want both something on the endpoint,
knowing it won’t be 100% but better than nothing, and also something in the
network to stop the nasty stuff, preferably before it even got in.

I have nothing to disagree with in the paragraph above -- short of the example of mixing active network defense with admission/access control in the same sentence; I think that's confusing two points. Back to the religious debate as Joseph drops back to the "Nevis is going to replace all switches in the wiring closet" approach to security via network admission/access control:

Now, let’s talk about getting on
the network. If the switches are just dumb plumbing they will blindly let
anyone on, friend or foe, so you at least need to beef up the dumb plumbing
with admission enforcement points. And you want to put malware sensors where
they can be effective, ideally close to entry points, to minimize the risk of having
the network infrastructure taken down. So, where do you want to put the
intelligence, close to the entry enforcement points or someplace further in the
bowels of the network where the dumb plumbing might have plugged-and-played a
path around your expensive intelligent appliance?

That really depends upon what you're trying to protect; the end point, the network or the resources connected to it. Also, I won't/can't argue about wanting to apply access/filtering (sounds like IPS in the above example) controls closest to the client at the network layer. Good design philosophy. However, depending upon how segmented your network is, the types, value and criticality of the hosts in these virtual/physical domains, one may choose to isolate by zone or VLAN and not invest in yet another switch replacement at the access layer.

If the appliance is to be
effective, it has to sit at a choke point and really be and enforcement point.
And it has to have some smarts of its own. Like the secure switch that we make.

Again, that depends upon your definition of enforcement and applicability. I'd agree that in flat networks, you'd like to do it at the port/host level, though replacing access switches to do so is usually not feasible in large networks given investments in switching architectures. Typical fixed configuration appliances overlaid don't scale, either.

Furthermore, depending upon your definition of what an enforcement zone and it's corresponding diameter is (port, VLAN, IP Subnet) you may not care. So putting that "appliance" in place may not be as foreboding as you wager, especially if it overlays across these boundaries satisfactorily.

We will see how long before these new-fangled switch vendors that used to be SSL VPN's, that then became IPS appliances that have now "evolved" into NAC solutions, will become whatever the next buzzword/technology of tomorrow represents...especially now with Cisco's revitalized technology refresh for "secure" access switches in the wiring closets. Caymas, Array, and Vernier (amongst many) are perfect examples.

When it comes down to it, in the markets Crossbeam serves -- and especially the largest enterprises -- they are happy with their switches, they just want the best security choice on top of it provided in a consolidated, agile and scalable architecture to support it.